Issue 5842 - Add log buffering to audit log

Description: Add log buffering to audit/auditfail logs. Since these logs are intertwined there is only one config setting for both logs: nsslapd-auditlog-logbuffering: on/off relates: #5842 Reviewed by: spichugi(Thanks!)
389ds · Mar 4, 2024 · 7910187 · 7910187
1 parent f19b93e
commit 7910187
Show file tree

Hide file tree

Showing 13 changed files with 461 additions and 105 deletions.
diff --git a/dirsrvtests/tests/suites/ds_logs/audit_log_test.py b/dirsrvtests/tests/suites/ds_logs/audit_log_test.py
@@ -1,11 +1,12 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2022 Red Hat, Inc.
+# Copyright (C) 2022-2024 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
 # See LICENSE for details.
 # --- END COPYRIGHT BLOCK ---
 
+import ldap
 import logging
 import pytest
 import os
@@ -95,10 +96,90 @@ def test_auditlog_display_attrs(topo):
     time.sleep(1)
     assert inst.ds_audit_log.match("#sn: modrdn_delete")
 
+def test_auditlog_bof(topo):
+    """Test that value containing 256 chars doesn't crash the server
+
+    :id: 767c0604-146d-4d07-8bf4-1093f51ce97b
+    :setup: Standalone Instance
+    :steps:
+        1. Change 'cn' attribute to contain exactly 256 chars
+        2. Test that server didn't crash
+    :expectedresults:
+        1. Success
+        2. Success
+    """
+
+    inst = topo.standalone
+    inst.config.replace('nsslapd-auditlog-logging-enabled', 'on')
+
+    inst.config.replace('nsslapd-auditlog-display-attrs', 'cn')
+    users = UserAccounts(inst, DEFAULT_SUFFIX)
+    users.ensure_state(properties={
+        'uid': 'test_auditlog_bof',
+        'cn': 'A'*256,
+        'sn': 'user',
+        'uidNumber': '1001',
+        'gidNumber': '1001',
+        'homeDirectory': '/home/auditlog_bof',
+    })
+    time.sleep(1)
+    assert inst.status() == True
+
+def test_auditlog_buffering(topo, request):
+    """Test log buffering works as expected when on or off
+
+    :id: 08f1ccf0-c1fb-4427-9300-24585e336ae7
+    :setup: Standalone Instance
+    :steps:
+        1. Set buffering on
+        2. Make update and immediately check log (update should not be present)
+        3. Make invalid update, failed update should not be in log
+        4. Disable buffering
+        5. Make update and immediately check log (update should be present)
+        6. Make invalid update, both failed updates should be in log
+    :expectedresults:
+        1. Success
+        2. Success
+        3. Success
+        4. Success
+        5. Success
+        6. Success
+    """
+
+    # Configure instance
+    inst = topo.standalone
+    inst.config.replace('nsslapd-auditlog-logging-enabled', 'on')
+    inst.config.replace('nsslapd-auditfaillog-logging-enabled', 'on')
+    inst.config.replace('nsslapd-auditlog-logbuffering', 'on')
+    inst.deleteAuditLogs()  # Start with fresh set of logs
+    original_value = inst.config.get_attr_val_utf8('nsslapd-timelimit')
+
+    # Make a good and bad update and check neither are logged
+    inst.config.replace('nsslapd-timelimit', '999')
+    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
+        inst.config.replace('no_such_attr', 'blah')
+    time.sleep(1)
+    assert not inst.ds_audit_log.match("nsslapd-timelimit: 999")
+    assert not inst.ds_audit_log.match("result: 53")
+
+    # Make a good and bad update and check both are logged
+    inst.config.replace('nsslapd-auditlog-logbuffering', 'off')
+    inst.config.replace('nsslapd-timelimit', '888')
+    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
+        inst.config.replace('no_such_attr', 'nope')
+    time.sleep(1)
+    assert inst.ds_audit_log.match("nsslapd-timelimit: 888")
+    # Both failed updates should be present (easiest way to check log)
+    assert len(inst.ds_audit_log.match("result: 53")) == 2
+
+    # Reset timelimit just to be safe
+    def fin():
+        inst.config.replace('nsslapd-timelimit', original_value)
+    request.addfinalizer(fin)
+
 
 if __name__ == '__main__':
     # Run isolated
     # -s for DEBUG mode
     CURRENT_FILE = os.path.realpath(__file__)
     pytest.main(["-s", CURRENT_FILE])
-
diff --git a/dirsrvtests/tests/suites/healthcheck/health_config_test.py b/dirsrvtests/tests/suites/healthcheck/health_config_test.py
@@ -505,7 +505,7 @@ def test_healthcheck_unauth_binds(topology_st):
     inst.config.set("nsslapd-allow-unauthenticated-binds", "off")
 
 def test_healthcheck_accesslog_buffering(topology_st):
-    """Check if HealthCheck returns DSCLE0004 code when acccess log biffering
+    """Check if HealthCheck returns DSCLE0004 code when acccess log buffering
     is disabled
 
     :id: 5a6512fd-1c7b-4557-9278-45150423148b
@@ -537,7 +537,7 @@ def test_healthcheck_accesslog_buffering(topology_st):
     inst.config.set("nsslapd-accesslog-logbuffering", "on")
 
 def test_healthcheck_securitylog_buffering(topology_st):
-    """Check if HealthCheck returns DSCLE0005 code when security log biffering
+    """Check if HealthCheck returns DSCLE0005 code when security log buffering
     is disabled
 
     :id: 9b84287a-e022-4bdc-8c65-2276b37371b5
@@ -568,6 +568,41 @@ def test_healthcheck_securitylog_buffering(topology_st):
     log.info('Reset nnsslapd-securitylog-logbuffering to on')
     inst.config.set("nsslapd-securitylog-logbuffering", "on")
 
+def test_healthcheck_auditlog_buffering(topology_st):
+    """Check if HealthCheck returns DSCLE0006 code when audit log buffering
+    is disabled
+
+    :id: f030c9f3-0ce7-4156-ba70-81ef3ac82867
+    :setup: Standalone instance
+    :steps:
+        1. Create DS instance
+        2. Set nsslapd-auditlog-logbuffering to off
+        3. Use HealthCheck without --json option
+        4. Use HealthCheck with --json option
+    :expectedresults:
+        1. Success
+        2. Success
+        3. Healthcheck reports DSCLE0006
+        4. Healthcheck reports DSCLE0006
+    """
+
+    RET_CODE = 'DSCLE0006'
+
+    inst = topology_st.standalone
+    enabled = inst.config.get_attr_val_utf8('nsslapd-auditlog-logging-enabled')
+
+    log.info('nsslapd-auditlog-logbuffering to off')
+    inst.config.set('nsslapd-auditlog-logging-enabled', 'on')
+    inst.config.set('nsslapd-auditlog-logbuffering', 'off')
+
+    run_healthcheck_and_flush_log(topology_st, inst, RET_CODE, json=False)
+    run_healthcheck_and_flush_log(topology_st, inst, RET_CODE, json=True)
+
+    # reset setting
+    log.info('Reset nnsslapd-auditlog-logbuffering to on')
+    inst.config.set('nsslapd-auditlog-logbuffering', 'on')
+    inst.config.set('nsslapd-auditlog-logging-enabled', enabled)
+
 
 if __name__ == '__main__':
     # Run isolated

diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
@@ -193,6 +193,7 @@ slapi_onoff_t init_securitylogbuffering;
 slapi_onoff_t init_external_libs_debug_enabled;
 slapi_onoff_t init_errorlog_logging_enabled;
 slapi_onoff_t init_auditlog_logging_enabled;
+slapi_onoff_t init_auditlogbuffering;
 slapi_onoff_t init_auditlog_logging_hide_unhashed_pw;
 slapi_onoff_t init_auditfaillog_logging_enabled;
 slapi_onoff_t init_auditfaillog_logging_hide_unhashed_pw;
@@ -832,6 +833,10 @@ static struct config_get_and_set
      NULL, 0,
      (void **)&global_slapdFrontendConfig.accesslogbuffering,
      CONFIG_ON_OFF, NULL, &init_accesslogbuffering, NULL},
+    {CONFIG_AUDITLOG_BUFFERING_ATTRIBUTE, config_set_auditlogbuffering,
+     NULL, 0,
+     (void **)&global_slapdFrontendConfig.auditlogbuffering,
+     CONFIG_ON_OFF, NULL, &init_auditlogbuffering, NULL},
     {CONFIG_SECURITYLOG_BUFFERING_ATTRIBUTE, config_set_securitylogbuffering,
      NULL, 0,
      (void **)&global_slapdFrontendConfig.securitylogbuffering,
@@ -1922,6 +1927,7 @@ FrontendConfig_init(void)
     cfg->auditlog_exptimeunit = slapi_ch_strdup(SLAPD_INIT_LOG_EXPTIMEUNIT);
     init_auditlog_logging_hide_unhashed_pw =
         cfg->auditlog_logging_hide_unhashed_pw = LDAP_ON;
+    init_auditlogbuffering = cfg->auditlogbuffering = LDAP_ON;
     init_auditlog_compress_enabled = cfg->auditlog_compress = LDAP_OFF;
 
     init_auditfaillog_logging_enabled = cfg->auditfaillog_logging_enabled = LDAP_OFF;
@@ -7786,6 +7792,21 @@ config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf,
     return retVal;
 }
 
+int32_t
+config_set_auditlogbuffering(const char *attrname, char *value, char *errorbuf, int apply)
+{
+    int32_t retVal = LDAP_SUCCESS;
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+    retVal = config_set_onoff(attrname,
+                              value,
+                              &(slapdFrontendConfig->auditlogbuffering),
+                              errorbuf,
+                              apply);
+
+    return retVal;
+}
+
 int32_t
 config_set_securitylogbuffering(const char *attrname, char *value, char *errorbuf, int apply)
 {